Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
Azure-Sentinel/Workbooks/AlsidIoE.json

518 строки
19 KiB
JSON
Исходник Ответственный История

Этот файл содержит неоднозначные символы Юникода!

Этот файл содержит неоднозначные символы Юникода, которые могут быть перепутаны с другими в текущей локали. Если это намеренно, можете спокойно проигнорировать это предупреждение. Используйте кнопку Экранировать, чтобы подсветить эти символы.

{
"version": "Notebook/1.0",
"items": [
{
"type": 9,
"content": {
"version": "KqlParameterItem/1.0",
"parameters": [
{
"id": "be5a3a6e-51b1-4c1a-86f9-0847b3bd1dd5",
"version": "KqlParameterItem/1.0",
"name": "TimeRange",
"label": "Time Range",
"type": 4,
"description": "Specify the time range on which to query the data",
"isRequired": true,
"value": {
"durationMs": 7776000000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
],
"allowCustom": false
},
"timeContext": {
"durationMs": 86400000
}
},
{
"id": "876a8c8a-7378-475b-800b-bf7560a5f80b",
"version": "KqlParameterItem/1.0",
"name": "SamplingPeriod",
"label": "Sampling Period",
"type": 4,
"description": "Specify the sampling period for the time charts",
"isRequired": true,
"value": {
"durationMs": 86400000
},
"typeSettings": {
"selectableValues": [
{
"durationMs": 300000
},
{
"durationMs": 900000
},
{
"durationMs": 1800000
},
{
"durationMs": 3600000
},
{
"durationMs": 14400000
},
{
"durationMs": 43200000
},
{
"durationMs": 86400000
},
{
"durationMs": 172800000
},
{
"durationMs": 259200000
},
{
"durationMs": 604800000
},
{
"durationMs": 1209600000
},
{
"durationMs": 2419200000
},
{
"durationMs": 2592000000
},
{
"durationMs": 5184000000
},
{
"durationMs": 7776000000
}
]
}
}
],
"style": "pills",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "parameters - 3"
},
{
"type": 11,
"content": {
"version": "LinkItem/1.0",
"style": "tabs",
"links": [
{
"id": "c449f281-ad2e-4f64-b9cf-505a82146c64",
"cellValue": "ioes",
"linkTarget": "parameter",
"linkLabel": "General",
"subTarget": "(\"\")",
"style": "link"
},
{
"id": "6405bfad-3e9c-4a78-812c-5a41b2433ef2",
"cellValue": "ioes",
"linkTarget": "parameter",
"linkLabel": "Password issues",
"subTarget": "(\"C-CLEARTEXT-PASSWORD\", \"C-PASSWORD-DONT-EXPIRE\", \"C-USER-REVER-PWDS\", \"C-PASSWORD-POLICY\", \"C-USER-PASSWORD\", \"C-KRBTGT-PASSWORD\", \"C-AAD-SSO-PASSWORD\", \"C-REVER-PWD-GPO\")",
"style": "link"
},
{
"id": "141c2e6f-725b-4714-93f7-51a77529ef76",
"cellValue": "ioes",
"linkTarget": "parameter",
"linkLabel": "User accounts issues",
"subTarget": "(\"C-ACCOUNTS-DANG-SID-HISTORY\", \"C-PRE-WIN2000-ACCESS-MEMBERS\", \"C-PASSWORD-DONT-EXPIRE\", \"C-SLEEPING-ACCOUNTS\", \"C-DANG-PRIMGROUPID\", \"C-PASSWORD-NOT-REQUIRED\", \"C-USER-PASSWORD\")",
"style": "link"
},
{
"id": "5dac6d08-ac9c-432b-a0e8-19fb8372ca02",
"cellValue": "ioes",
"linkTarget": "parameter",
"linkLabel": "Privileged accounts issues",
"subTarget": "(\"C-PRIV-ACCOUNTS-SPN\", \"C-NATIVE-ADM-GROUP-MEMBERS\", \"C-KRBTGT-PASSWORD\", \"C-PROTECTED-USERS-GROUP-UNUSED\", \"C-ADMINCOUNT-ACCOUNT-PROPS\", \"C-ADM-ACC-USAGE\", \"C-LAPS-UNSECURE-CONFIG\", \"C-DISABLED-ACCOUNTS-PRIV-GROUPS\")",
"style": "link"
},
{
"id": "d8397566-9823-430b-8390-72e35196ad65",
"cellValue": "ioes",
"linkTarget": "parameter",
"linkLabel": "AD attacks pathways",
"subTarget": "(\"C-PRIV-ACCOUNTS-SPN\", \"C-SDPROP-CONSISTENCY\", \"C-DANG-PRIMGROUPID\", \"C-GPO-HARDENING\", \"C-DC-ACCESS-CONSISTENCY\", \"C-DANGEROUS-TRUST-RELATIONSHIP\", \"C-UNCONST-DELEG\", \"C-ABNORMAL-ENTRIES-IN-SCHEMA\")",
"style": "link"
}
]
},
"customWidth": "50",
"name": "links - 2"
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\r\n| where MessageType == 0| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize AlertCount = count() by Explanation, Codename",
"size": 3,
"title": "Detected IoEs list with codenames explanations",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "tiles",
"tileSettings": {
"titleContent": {
"columnMatch": "Codename",
"formatter": 1
},
"leftContent": {
"columnMatch": "AlertCount",
"formatter": 12,
"formatOptions": {
"palette": "auto"
},
"numberFormat": {
"unit": 17,
"options": {
"style": "decimal",
"maximumFractionDigits": 2,
"maximumSignificantDigits": 3
}
}
},
"rightContent": {
"columnMatch": "Explanation"
},
"showBorder": false,
"size": "full"
},
"graphSettings": {
"type": 0,
"topContent": {
"columnMatch": "Explanation",
"formatter": 1
},
"centerContent": {
"columnMatch": "AlertCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
}
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 1,
"content": {
"json": "# Indicators of Exposure\r\nOur IoEs are behavioral detection indicators powered by the latest intelligence on the Active Directory threat landscape. Our team builds our IoEs from technical indicators (IOCs) and tactics, techniques and procedures (commonly referred as TTPs), and disseminate them to our users platforms transparently, therefore ensuring a permanent state-of-the-art detection capability.\r\n\r\n\r\n**Alsid for AD** measures the security maturity of your AD infrastructures through Indicators of Exposure (IoEs) and assigns severity levels (**Critical**, **High**, **Medium** or **Low**) to the constant flow of events that is being monitored and analyzed.\r\n\r\n-\tCritical: The IoE is dealing with AD sensitive object that will lead to a full AD compromise is one of them is accessed by an illegitimate user\r\n-\tHigh : The IoE is either dealing with post exploitation techniques (that could allow credential thefts for example or backdooring) or with exploitation techniques which is requiring some level of administrative right to be exploited\r\n\r\n-\tMedium : The IoE is referencing a security issue that will have impact on business related data but without endangering the entire AD infrastructure\r\n\r\n-\tLow: The IoE is related to good security practices. Deviances raised by this IoE have a minimal security impact on the monitored infrastructure\r\n\r\n\r\nFrom **Alsid for AD** interface, the **Indicators of Exposure** page displays IoE tiles arranged in the following order:\r\n\r\n- By severity level via color codes (red for Critical, orange for High, yellow for Medium and blue for Low).\r\n\r\n- Vertically, by order of severity (red for top priority and blue for least priority).\r\n\r\n- Horizontally, by order of complexity (starting with the least complex cases and ending with the most complex cases). The complexity indicator is dynamically computed by Alsid's platform to describe how difficult it will be for the Administration team to fix the deviant IoE.\r\n\r\n\r\nIn case of security regressions, **Alsid for AD** will trigger alerts."
},
"customWidth": "50",
"name": "text - 1"
}
]
},
"name": "group - 4",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize AlertCount = count() by Severity",
"size": 0,
"title": "IoEs severity chart",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "graph",
"graphSettings": {
"type": 2,
"topContent": {
"columnMatch": "Severity",
"formatter": 1
},
"centerContent": {
"columnMatch": "AlertCount",
"formatter": 1,
"numberFormat": {
"unit": 17,
"options": {
"maximumSignificantDigits": 3,
"maximumFractionDigits": 2
}
}
},
"nodeIdField": "Severity",
"graphOrientation": 3,
"showOrientationToggles": false,
"nodeSize": null,
"staticNodeSize": 100,
"colorSettings": {
"nodeColorField": "Severity",
"type": 1,
"colorPalette": "default"
},
"hivesMargin": 5
}
},
"customWidth": "25",
"name": "query - 1",
"styleSettings": {
"maxWidth": "50"
}
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let threshold = 1;\r\nlet SeverityTable=datatable(Severity:string,Level:int) [\r\n\"low\", 1,\r\n\"medium\", 2,\r\n\"high\", 3,\r\n\"critical\", 4\r\n];\r\nafad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| lookup kind=leftouter SeverityTable on Severity\r\n| where Level >= ['threshold']\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Severity",
"size": 0,
"title": "Alerts raised over time grouped by severity",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showLegend": true
}
},
"customWidth": "75",
"name": "query - 2"
}
]
},
"name": "Severity",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser()\n| where MessageType == 0| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\n| summarize AlertCount = count() by Codename",
"size": 3,
"title": "IoEs chart",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "piechart",
"chartSettings": {
"yAxis": [
"AlertCount"
],
"group": "Codename",
"createOtherGroup": 20,
"ySettings": {
"numberFormatSettings": {
"unit": 0,
"options": {
"style": "decimal",
"useGrouping": true
}
}
}
}
},
"customWidth": "50",
"name": "Piechart"
}
]
},
"name": "group - 5",
"styleSettings": {
"showBorder": true
}
},
{
"type": 12,
"content": {
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize Count = count() by bin(Time, {SamplingPeriod:seconds}), Codename",
"size": 0,
"title": "Number of triggered IoE alerts over time",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "timechart",
"chartSettings": {
"showLegend": true
}
},
"name": "query - 1"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "afad_parser\r\n| where MessageType == 0 and (\"\" in {ioes} or Codename in {ioes})\r\n| summarize by Time, DevianceID, Explanation",
"size": 0,
"title": "Triggered IoE alerts list",
"noDataMessage": "No alerts",
"noDataMessageStyle": 3,
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "DevianceID",
"exportParameterName": "SelectedDevianceID",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"sortBy": []
},
"customWidth": "50",
"showPin": false,
"name": "query - 3"
},
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let ID_ = dynamic({SelectedDevianceID});\r\nafad_parser()\r\n| where MessageType == 0 and tostring(DevianceID) == tostring(ID_)\r\n| project ADObject",
"size": 3,
"title": "Impacted AD object",
"noDataMessage": "Please select a deviance to show impacted AD Objects",
"timeContext": {
"durationMs": 7776000000
},
"timeContextFromParameter": "TimeRange",
"exportFieldName": "AlertID",
"exportParameterName": "SelectedAlertID",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"gridSettings": {
"formatters": [
{
"columnMatch": "ADObject",
"formatter": 0,
"formatOptions": {
"customColumnWidthSetting": "100%"
}
}
]
}
},
"customWidth": "50",
"name": "query - 4"
},
{
"type": 1,
"content": {
"json": "You can select an alert to show details about it",
"style": "info"
},
"name": "text - 5"
}
]
},
"name": "IoEs",
"styleSettings": {
"showBorder": true
}
}
],
"fallbackResourceIds": [
"/subscriptions/8c038010-3c7a-40c6-985f-db5e8a04e59f/resourcegroups/julien_clement-rg/providers/microsoft.operationalinsights/workspaces/eltanin-demo"
],
"fromTemplateId": "sentinel-Alsid for AD | Indicators of Exposure",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку